It's impossible to sqlite3_bind_text
a table name because sqlite3_prepare_v2
fails to prepare a statement such as:
SELECT * FROM ? ;
I presume the table name is needed to parse the statement, so the quoting needs to have happened before sqlite3_prepare_v2
.
Is there something like a sqlite3_quote_tablename
? Maybe it already exists under a name I can't recognize, but I can't find anything in the functions list.
your proposed sqlite3_quote_tablename function could sanitize the input to prevent sql injection attacks. To do this it could parse the input to make sure it is a string literal. http://sqlite.org/lang_expr.html#litvalue